I always get questions from people asking how to see connections being made out from different network devices. This ranges from IoT devices to gaming consoles, IP cameras, etc. I decided to put together a short and simple tutorial on how to achieve this using only one tool, Ettercap.
Ettercap is a handy little tool that has been out for a while and allows for ARP Poisoning of the Local Area Network (LAN). The main players in ARP Poisoning software is Ettercap and the ancient but still awesome Cain & Abel. I'm using Ettercap in this demonstration because I have Kali Linux installed as a VM and Ettercap does not require Windows like Cain does.
I'm going to assume that you have Ettercap installed (it comes pre-installed on newer Kali Linux distributions). The first step is going to be launching Ettercap, to do this you open up a terminal and type "ettercap -G". Ettercap should then launch in GUI mode (hence, -G) in a new window as shown below.
Next, you are going to perform the following:
- Select "Sniff" and "Unified Sniffing"
- Select the network interface as "eth0" (or whatever your network interface is)
- Click OK
You have now started what is known as "sniffing" the network. Hopefully you have done this before, but if you haven't, congratulations!
The next step is discovering hosts on your network. The goal here is to find the two devices that you are targeting. To do this, you will go to Hosts > Scan For Hosts. A blue bar should fly across your screen.
After this, you will go to Hosts > Hosts List and you should have a list of IP Addresses and MAC addresses that are on your Local Area Network. You should have a list of IP Addresses that look somewhat like the list shown below.
Nice! You're almost there. The next step is very important. In order to gain the traffic between you're target device (xbox, IP Camera, etc) you need to "position" yourself in between them. In order to do this, you will need the IP address of the following devices.
- Your Router
- Your Target Device
Lucky for you, the addresses of those devices should be sitting in your Hosts List in the Ettercap screen. In my example, I'm going to target my router (192.168.1.1) and my device located at 192.168.1.152.
Next, you are going to select your router, right click and select Add to Target 1, then the same for you target device and select Add To Target 2. You are then going to go to the Menu bar and select Targets < Current Targets and your screen should look something like what we have below.
Now that you have your devices in the target list, it's time for the fun to begin! Navigate to the menu bar tab that says Mitm (man in the middle) and select the first option, ARP poisoning. You will then select the option sniff remote connections and click OK.
You just made the magic happen! If done correctly, you didn't completely break your internet and you have successfully placed yourself in the middle of the communications between your router and your network device. Next, you will want to view the connections that this device is making. To do this, you will navigate to View > Connections in the Menu bar. This should bring up a screen that looks something alone the lines of this.
Congratulations! You have successfully MITM your network device. You can also fire up Wireshark and view connections that way if you prefer a more verbose view of the traffic.